OIDC federation
Imagine that you are creating an application that accesses Amazon resources, such as GitHub Actions that uses workflows to access Amazon S3 and DynamoDB.
When you use these workflows, you make requests to Amazon services that must be signed with an Amazon access key. However, we strongly recommend that you do not store Amazon credentials long-term in applications outside Amazon. Instead, configure your applications to request temporary Amazon security credentials dynamically when needed using OIDC federation. The supplied temporary credentials map to an Amazon role that only has permissions needed to perform the tasks required by the application.
With OIDC federation, you don't need to create custom sign-in code or manage your own user
identities. Instead, you can use OIDC in applications, such as GitHub Actions or any other
OpenID Connect (OIDC)
OIDC federation supports both machine-to-machine authentication (such as CI/CD pipelines,
automated scripts, and serverless applications) and human user authentication. For human user
authentication scenarios where you need to manage user sign-up, sign-in, and user profiles,
consider using Amazon Cognito
Note
JSON Web Tokens (JWTs) issued by OpenID Connect (OIDC) identity providers contain an
expiration time in the exp
claim that specifies when the token expires. IAM
provides a five-minute window beyond the expiration time specified in the JWT to account for
clock skew, as allowed by the OpenID Connect (OIDC) Core 1.0
standard
Topics
Additional resources for OIDC federation
The following resources can help you learn more about OIDC federation:
-
Use OpenID Connect within your GitHub workflows by Configuring OpenID Connect in Amazon Web Services
-
Amazon Cognito Identity
in the Amplify Libraries for Android Guide and Amazon Cognito Identity in the Amplify Libraries for Swift Guide. -
How to use external ID when granting access to your Amazon resources
on the Amazon Security Blog provides guidance on securely configuring cross-account access and external identity federation.